Login Sign Up

CVE-2019-25448

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability where authenticated attackers can inject malicious JavaScript by creating users with script payloads in the name field. When other users view the application, the scripts execute in their browser context. This affects all OrientDB deployments running the vulnerable version with user creation enabled.

💻 Affected Systems

Products:
  • OrientDB
Versions: 3.0.17
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to create users. All deployments with user creation functionality are vulnerable.

📦 What is this software?

Orientdb by Orientdb

View all CVEs affecting Orientdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy ransomware through the application interface.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed in the context of legitimate users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though some data exposure may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated access but is trivial to execute with valid credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.18 and later

Vendor Advisory: https://orientdb.dev/

Restart Required: Yes

Instructions:

1. Backup your database. 2. Download OrientDB 3.0.18 or later from official sources. 3. Stop OrientDB service. 4. Replace the installation with patched version. 5. Restart OrientDB service. 6. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user creation parameters

Implement custom middleware to validate/sanitize name parameter before processing

Disable User Creation

all

Temporarily disable user creation functionality for non-admin users

Modify OrientDB configuration to restrict user creation to administrators only

🧯 If You Can't Patch

  • Implement WAF rules to block POST requests with JavaScript patterns in name parameter
  • Enable Content Security Policy headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check OrientDB version: if running 3.0.17, you are vulnerable. Test by attempting to create user with <script>alert('test')</script> in name field.

Check Version:

orientdb --version or check server startup logs

Verify Fix Applied:

After patching, attempt the same XSS payload in user creation. It should be sanitized or rejected.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /document endpoint with script tags in parameters
  • User creation logs containing JavaScript patterns

Network Indicators:

  • HTTP POST requests with suspicious content in name parameter
  • Outbound connections to unknown domains after user creation

SIEM Query:

source="orientdb" AND (method="POST" AND uri="/document" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2019-25448
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 20, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25448, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)